什么是zk-SNARKs?
Zcash is the first widespread application of zk-SNARKs, a novel form of zero-knowledge cryptography. The strong privacy guarantee of Zcash is derived from the fact that shielded transactions in Zcash can be fully encrypted on the blockchain, yet still be verified as valid under the network’s consensus rules by using zk-SNARK proofs.
Zcash是zk-SNARKs第一个广泛的应用,一种新型的零知识证明。Zcash的强大隐私保障源自于Zcash的屏蔽交易可以在区块链上完全加密,通过使用zk-SNARK证明,即使在网络共识规则下仍然有效。
The acronym zk-SNARK stands for “Zero-Knowledge Succinct Non-Interactive Argument of Knowledge,” and refers to a proof construction where one can prove possession of certain information, e.g. a secret key, without revealing that information, and without any interaction between the prover and verifier.
zk-SNARK是 “Zero-Knowledge Succinct Non-Interactive Argument ofKnowledge”的简称,指一种可以证明某人拥有某些信息的证明结构,例如:一把秘密钥匙,没有显示该信息,也没有验证者和验证者之间的任何交互。
“Zero-knowledge” proofs allow one party (the prover) to prove to another (the verifier) that a statement is true, without revealing any information beyond the validity of the statement itself. For example, given the hash of a random number, the prover could convince the verifier that there indeed exists a number with this hash value, without revealing what it is.
“零知识”证明允许一方(证明方)向另一方(验证方)证明一项声明是真实的,而不披露除声明本身的有效性之外的任何信息。例如,给定一个随机数的hash,证明方可以使验证方相信确实存在一个具有这个hash值的数字,而不需要说明数字是什么。
In a zero-knowledge "Proof of Knowledge" the prover can convince the verifier not only that the number exists, but that they in fact know such a number - again, without revealing any information about the number. The difference between "Proof" and "Argument" is quite technical and we don't get into it here.
在一个零知识的“知识证明”中,验证者不仅可以使验证者相信这个数字的存在,而且还可以使验证者相信他们实际上知道这个数字——同样,没有透露任何关于这个数字的信息。“证明”和“论证”之间的区别是相当技术性的,我们在这里不深入讨论。
“Succinct” zero-knowledge proofs can be verified within a few milliseconds, with a proof length of only a few hundred bytes even for statements about programs that are very large. In the first zero-knowledge protocols, the prover and verifier had to communicate back and forth for multiple rounds, but in “non-interactive” constructions, the proof consists of a single message sent from prover to verifier. Currently, the only known way to produce zero-knowledge proofs that are non-interactive and short enough to publish to a block chain is to have an initial setup phase that generates a common reference string shared between prover and verifier. We refer to this common reference string as the public parameters of the system.
“简洁”的零知识证明可以在几毫秒内得到验证,即使是关于非常大的项目的语句,其证明长度也只有几百字节。在第一代零知识协议中,证明方和验证方必须进行来回通信,但在“非交互式”结构中,证明仅仅包含了从证明方发送到验证方的单个消息。目前,要生成非交互式的、足够短的、可以发布到区块链的零知识证明,惟一已知的方法是初始设置阶段,该阶段生成验证程序和验证程序之间共享的公共引用字符串。我们将这个公共引用字符串作为系统的公共参数。
If someone had access to the secret randomness used to generate these parameters, they would be able to create false proofs that would look valid to the verifier. For Zcash, this would mean the malicious party could create counterfeit coins. To prevent this from ever happening, Zcash generated the public parameters through an elaborate, multi-party ceremony. To learn more about our parameter generation ceremony and see the precautions we’ve taken to prevent the secret randomness essential to Zcash from being exposed (e.g. computers being blowtorched), visit our Paramgen page. To learn more about the math behind the parameter generation protocol, read our blog post or whitepaper on the topic.
如果有人能够访问用于生成这些参数的秘密随机性,他们将能够创建对验证者有效的假证明。对于Zcash来说,这意味着恶意的一方可以制造假币。为了防止这种情况的发生,Zcash通过一个精心设计的多党仪式产生了公共参数。要了解更多关于参数生成仪式的信息,并了解我们采取的预防措施,以防止Zcash的秘密随机性被暴露(例如,计算机被吹爆),请访问我们的Paramgen页面。要了解更多关于参数生成协议背后的数学知识,请阅读我们的博客文章或白皮书。
HOW ZK-SNARKS ARE CONSTRUCTED IN ZCASH
In order to have zero-knowledge privacy in Zcash, the function determining the validity of a transaction according to the network’s consensus rules must return the answer of whether the transaction is valid or not, without revealing any of the information it performed the calculations on. This is done by encoding some of the network's consensus rules in zk-SNARKs. At a high level, zk-SNARKs work by first turning what you want to prove into an equivalent form about knowing a solution to some algebraic equations. In the following section, we give a brief overview of how the rules for determining a valid transaction get transformed into equations that can then be evaluated on a candidate solution without revealing any sensitive information to the parties verifying the equations.
为了在Zcash中拥有零知识隐私,根据网络共识规则确定交易有效性的函数必须返回交易是否有效的答案,而不披露它执行计算的任何信息。这是通过将网络的共识规则编码在zk-SNARKs内来实现的。在较高的层次上,zk-SNARKs 的工作方式是首先把你想要证明的东西转化成一个等价的形式,即知道一些代数方程的解。在下一节中,我们将简要概述如何将确定有效事务的规则转换为可以在候选解决方案中进行评估的公式,而不会向验证这些方程的各方透露任何敏感信息。
Computation → Arithmetic Circuit → R1CS → QAP → zk-SNARK
The first step in turning our transaction validity function into a mathematical representation is to break down the logical steps into the smallest possible operations, creating an “arithmetic circuit”. Similar to a boolean circuit where a program is compiled down to discrete, single steps like AND, OR, NOT, when a program is converted to an arithmetic circuit, it’s broken down into single steps consisting of the basic arithmetic operations of addition, subtraction, multiplication, and division (although in our particular case, we will avoid using division).
将交易有效性函数转换为数学表达式的第一步是将逻辑步骤分解为最小的可能操作,从而创建一个“算术电路”。类似于一个布尔电路,一个程序被编译成离散的,单个的步骤,比如,AND, OR, NOT,当一个程序被转换成一个算术电路时,它被分解成由加法、减法、乘法和除法等基本算术运算组成的单个步骤(尽管在我们的特定情况下,我们将避免使用除法)。
Here is an example of what an arithmetic circuit looks like for computing the expression (a+b)*(b*c) :
下面是计算表达式(a+b)*(b*c)的算术电路的示例:
Looking at such a circuit, we can think of the input values a, b, c as "traveling" left-to-right on the wires towards the output wire. Our next step is to build what is called a Rank 1 Constraint System, or R1CS, to check that the values are “traveling correctly”. In this example, the R1CS will confirm, for instance, that the value coming out of the multiplication gate where b and c went in is b*c.
观察这样的电路,我们可以把输入值a、b、c想象成在导线上从左到右向输出导线移动。我们的下一步是构建所谓的Rank 1约束系统(or R1CS),以检查值是否“正常运行”。在本例中,R1CS将确认,例如,来自b和c所在的乘法门的值是b*c。
In this R1CS representation, the verifier has to check many constraints — one for almost every wire of the circuit. (For technical reasons, it turns out we only have a constraint for wires coming out of multiplication gates.) In a 2012 paper on the topic, Gennaro, Gentry, Parno and Raykova presented a nice way to “bundle all these constraints into one”. This method uses a representation of the circuit called a Quadratic Arithmetic Program (QAP). The single constraint that needs to be checked is now between polynomials rather than between numbers. The polynomials can be quite large, but this is alright because when an identity does not hold between polynomials, it will fail to hold at most points. Therefore, you only have to check that the two polynomials match at one randomly chosen point in order to correctly verify the proof with high probability.
在这个R1CS表示中,验证器必须检查许多约束——几乎对电路的每根导线都有一个约束。(由于技术上的原因,原来我们对来自乘法门的电线只有一个限制。)在2012年的一篇关于这一话题的论文中,Gennaro、Gentry、Parno和Raykova提出了一种很好的方式来“将所有这些约束捆绑在一起”。这种方法使用二次算术程序(QAP)表示电路。现在需要检查的唯一约束是多项式之间的约束,而不是数字之间的约束。多项式可以很大,但这是可以的,因为当一个恒等式在多项式之间不成立时,它在大多数点都不能成立。因此,你只需要检查两个多项式在一个随机选择的点上是否匹配,就可以正确验证高概率的证明。
If the prover knew in advance which point the verifier would choose to check, they might be able to craft polynomials that are invalid, but still satisfy the identity at that point. With zk-SNARKs, sophisticated mathematical techniques such as homomorphic encryption and pairings of elliptic curves are used to evaluate polynomials “blindly” - i.e. without knowing which point is being evaluated. The public parameters described above are used to determine which point will be checked, but in encrypted form so that neither the prover nor the verifier know what it is.
如果验证者预先知道了哪个点,验证者会选择检查,他们可能能够处理无效的多项式,但是在那个点仍然满足身份。使用zk-SNARKs,可以使用复杂的数学技术,如同态加密和椭圆曲线的配对来“盲目”地评估多项式——即不知道要计算哪个点。上面描述的公共参数用于确定要检查哪个点,但是是以加密的形式,这样验证者和验证者都不知道它是什么。
The description so far has mainly addressed how to get the S and N in “SNARKs” — how to get a short, non-interactive, single message proof — but hasn’t addressed the “zk” (zero-knowledge) part which allows the prover to maintain the confidentiality of their secret inputs. It turns out that at this stage, the “zk” part can be easily added by having the prover use “random shifts” of the original polynomials that still satisfy the required identity.
到目前为止的描述主要讨论了如何在“SNARKs”中获取S和N——如何获得一个简短的、非交互的、单一的消息证明——但没有讨论“zk”(零知识)部分,该部分允许验证者保持其秘密输入的机密性。结果表明,在这一阶段,“zk”部分可以通过使验证者使用仍然满足所需标识的原始多项式的“随机移位”来轻松添加。
For a step-by-step, in-depth explanation of key concepts behind zk-SNARKs in Zcash, see our SNARKs Explainer series with posts on:
有关Zcash中zk-SNARKs背后的关键概念的详细、循序渐进的解释,请参阅我们的嗥叫解释系列文章:
Zcash uses a fork of libsnark, a C++ library for zk-SNARKs. You can inspect the code and learn more about our implementation on github. For a deeper dive into the protocol used for Zcash’s zk-SNARKs, refer to this paper on the Pinocchio protocol.
Zcash使用了一个libsnark的分支,一个用于zk-SNARKs的c++库。您可以检查代码并了解更多关于github上的实现。要深入了解Zcash用于zk-SNARKs的协议,请参阅关于皮诺曹协议的本文。
HOW ZK-SNARKS ARE APPLIED TO CREATE A SHIELDED TRANSACTION
In Bitcoin, transactions are validated by linking the sender address, receiver address, and input and output values on the public blockchain. Zcash uses zk-SNARKs to prove that the conditions for a valid transaction have been satisfied without revealing any crucial information about the addresses or values involved. The sender of a shielded transaction constructs a proof to show that, with high probability:
在比特币中,通过将发送方地址、接收地址和输入和输出值链接到公共区块链上进行验证。Zcash使用zk-SNARKs来证明一个有效的事务的条件已经得到满足,而没有透露任何关于所涉及的地址或值的关键信息。屏蔽事务的发送方构造一个证据,以表明,高概率:
the input values sum to the output values for each shielded transfer.
the sender proves that they have the private spending keys of the input notes, giving them the authority to spend.
The private spending keys of the input notes are cryptographically linked to a signature over the whole transaction, in such a way that the transaction cannot be modified by a party who did not know these private keys.
输入值与每个屏蔽传输的输出值之和。
发件人证明他们有输入记录的私人支出密钥,给了他们支出的权力。
输入记录的私有支出密钥被加密地链接到整个事务上的签名,这种方式使得不知道这些私有密匙的一方不能修改事务。
In addition, shielded transactions must satisfy some other conditions that are described below.
此外,屏蔽的事务必须满足以下描述的一些其他条件。
Bitcoin tracks unspent transaction outputs (UTXOs) to determine what transactions are spendable. In Zcash, the shielded equivalent of a UTXO is called a “commitment”, and spending a commitment involves revealing a “nullifier”. Zcash nodes keep lists of all the commitments that have been created, and all the nullifiers that have been revealed. Commitments and nullifiers are stored as hashes, to avoid disclosing any information about the commitments, or which nullifiers relate to which commitments.
比特币跟踪未花费交易输出(UTXOs),以确定哪些事务是可支出的。在Zcash中,被屏蔽的UTXO被称为“承诺”,而支出承诺则包括披露一个“无效者”。Zcash节点保存已创建的所有承诺的列表,以及已显示的所有废弃者。承诺和空符存储为哈希表,以避免披露关于承诺的任何信息,或哪些空符与哪些承诺相关。
For each new note created by a shielded payment, a commitment is published which consists of a hash of: the address to which the note was sent, the amount being sent, a number “rho” which is unique to this note (later used to derive the nullifier), and a random nonce.
对于由屏蔽支付创建的每个新记录,将发布一个承诺,其中包括:发送该通知的地址、发送的数量、该通知唯一的数字“rho”(后来用于派生nullifier)和一个随机的nonce。
Commitment = HASH(recipient address, amount, rho, r)
When a shielded transaction is spent, the sender uses their spending key to publish a nullifier which is the hash of the secret unique number ("rho") from an existing commitment that has not been spent, and provides a zero-knowledge proof demonstrating that they are authorized to spend it. This hash must not already be in the set of nullifiers tracking spent transactions kept by every node in the blockchain.
当一个受保护的事务被使用时,发送方使用他们的支出密钥来发布一个nullifier,该nullifier是一个未被使用的已有承诺的唯一密码("rho")的哈希,并且提供了一个零知识证明,证明他们被授权使用它。该hash必须不在跟踪区块链中每个节点保存的已花费事务的空符集中。
Nullifier = HASH(spending key, rho)
The zero-knowledge proof for a shielded transaction verifies that, in addition to the conditions listed above, the following assertions are also true:
屏蔽事务的零知识证明除了上面列出的条件外,以下断言也是正确的:
For each input note, a revealed commitment exists.
The nullifiers and note commitments are computed correctly.
It is infeasible for the nullifier of an output note to collide with the nullifier of any other note.
对于每个输入提示,都存在一个已显示的承诺。
正确地计算了空符和注意事项。
输出音符的空值符与其他音符的空值符发生碰撞是不可行的。
In addition to the spending keys used to control addresses, Zcash uses a set of proving and verifying keys to create and check proofs. These keys are generated in the public parameter ceremony discussed above, and shared among all participants in the Zcash network. For each shielded transaction, the sender uses their proving key to generate a proof that their inputs are valid. Miners check that the shielded transaction follows consensus rules by checking the prover’s computation with the verifying key. The way that Zcash’s proof generation is designed requires the prover to do more work up-front, but it simplifies verifying, so that the major computational work is offloaded to the creator of the transaction (this is why creating a shielded Zcash transaction can take up to 40 seconds, while verifying that a transaction is valid only takes milliseconds).
除了用于控制地址的开销键之外,Zcash还使用一组证明和验证键来创建和检查证明。这些密钥在上面讨论的公共参数仪式中生成,并在Zcash网络的所有参与者之间共享。对于每个受保护的事务,发件人使用他们的证明键来生成他们的输入是有效的证明。矿商通过使用验证键检查验证者的计算来检查被屏蔽的事务是否遵循一致规则。Zcash的方式证明代设计需要预先验证方做更多的工作,但是它简化了验证,所以计算工作主要是卸载的创造者事务(这就是为什么创建一个屏蔽Zcash事务需要40秒,同时验证事务有效只需要毫秒)。
The privacy of Zcash’s shielded transactions relies upon standard, tried-and-tested cryptography (hash functions and stream ciphers), but it's the addition of zk-SNARKs, applied with the system of commitments and nullifiers, that allows senders and receivers of shielded transactions to prove that encrypted transactions are valid. Other methods of providing privacy for cryptocurrencies rely upon obscuring the linkage between transactions, but the fact that Zcash transactions can be stored on the blockchain fully encrypted opens up new possibilities for cryptocurrency applications. Encrypted transactions allow parties to enjoy the benefits of public blockchains, while still protecting their privacy. Planned future upgrades will allow users to selectively disclose information about shielded transactions at their discretion. See our Near Future of Zcash blog post on future plans for Zcash.
Zcash屏蔽事务的隐私依赖于标准的、经过测试的加密(散列函数和流密码),但与承诺系统和空符系统一起应用的屏蔽事务加密则允许屏蔽事务的发送者和接收者证明加密事务是有效的。为加密货币提供隐私保护的其他方法依赖于模糊事务之间的联系,但是Zcash事务可以存储在完全加密的区块链上,这为加密货币应用程序提供了新的可能性。加密的交易可以让当事人享受公共区块链的好处,同时还能保护他们的隐私。有计划的未来升级将允许用户有选择地披露有关屏蔽事务的信息。看看我们关于Zcash未来计划的Zcash博客文章。
For a more in-depth explanation of how shielded transactions are constructed in Zcash, see our blog post on How Transactions Between Shielded Addresses Work. For full details on the current Zcash protocol, refer to our protocol specification.
有关Zcash中如何构造屏蔽事务的更深入解释,请参阅我们的博客文章,了解屏蔽地址之间的事务是如何工作的。有关当前Zcash协议的详细信息,请参考我们的协议规范。
FUTURE APPLICATIONS OF ZK-SNARKS
Creating shielded transactions in Zcash is only one example out of many possible applications of zk-SNARKs. Theoretically, you can use a zk-SNARK to verify any relation without disclosing inputs or leaking information. Generating proofs for complex functions is still too computationally intensive to be practical for many applications, but the Zcash team is pushing the boundaries for optimizing zk-SNARKs, and is already breaking new ground with more efficient implementations.
在Zcash中创建受保护的事务只是许多zk-SNARKs应用程序中的一个例子。理论上,您可以使用zk-SNARK来验证任何关系,而不泄露输入或泄漏信息。对于许多应用程序来说,为复杂函数生成证明仍然需要大量的计算量,难以实现,但是Zcash团队正在为优化 zk-SNARKs扩展边界,并且已经在更有效的实现方面开辟了新的领域。
As it currently stands, Zcash's implementation of zk-SNARKs can be added to any existing distributed ledger solution as a Zero-knowledge Security Layer for enterprise use cases. The scientists on the Zcash team are among the most knowledgeable researchers of zk-SNARKs in the world, and are constantly working on coming up with new applications and improving the efficiency of zero-knowledge protocols. If you have a business need that could benefit from the application of zero-knowledge proofs or blockchain solutions with robust privacy, get in touch with our business development team.
正如目前的情况,Zcash实现的 zk-SNARKs可以作为企业用例的零知识安全层添加到任何现有的分布式分类帐解决方案中。Zcash团队的科学家是世界上最有见识的zk-SNARKs 的研究人员之一,他们一直致力于开发新的应用程序并提高零知识协议的效率。如果您有业务需求,可以从应用零知识证明或区块链解决方案中获益,并具有强大的隐私保护,请与我们的业务开发团队联系。